Backdoors

All things embedded.
*NO FEATURE REQUESTS*

Re: Backdoors

Postby max » Sun Apr 15, 2012 9:56 am

Goran wrote:There is a tool for D200 dead pixels remap that writes to firmware using usb - http://narod.ru/disk/4848449000/D200_IM ... 6.rar.html

It`s a bit old, and protocols probably differ, but maybe some of you guys find it usefull in finding a way of how it comunicates with camera.


Brilliant, thanks Goran! Got any more treasures hiding?
-m
max
Site Admin
 
Posts: 371
Joined: Sat Nov 26, 2011 2:40 pm
Been thanked: 106 times

Re: Backdoors

Postby Goran » Sun Apr 15, 2012 10:03 am

max wrote:
Brilliant, thanks Goran! Got any more treasures hiding?
-m


That is the only service software I found, an believe me I have made an insane research. Looked all over and found nothing, than started with russian sites and forums and found this. I even contacted guy that has the software, and that was dead end too. His page about it - http://www.potroshiteli.ru/Test/Dead_Pixel_D200.html

http://lens-club.ru/ has some service manuals pdfs, but tools explained in those manuals are imposible to find.
Goran
 
Posts: 41
Joined: Tue Dec 27, 2011 3:01 am
Been thanked: 2 times

Re: Backdoors

Postby Enkoi » Sun Apr 15, 2012 5:29 pm

I never use Ubuntu (or the hard drive its stored on), but there is a program on there which I forgot about. Introducing gtKam (gPhoto), which is now outdated by gPhoto2. Libgphoto2 is the core of gPhoto2, and is a portable library which allows access to hundreds of cameras.
http://gphoto.org/proj/libgphoto2/

Through USB you can take control of your camera (including Nikons). Edit the f/stop, shutter speed, ISO and many other features. http://gphoto.org/proj/gtkam/

Yes, its for Linux, but the developers have released their reverse engineer logic (look for it in Documentation). They also include how libgphoto2 works. Picture related. "libgphoto2 is the core library designed to allow access to digital camera by external programs. Here is an overview of the global architecture...It abstracts communication ports and camera protocol, to allow a complete modularity. To support a new communication physical layer (like IEEE1394), just add a new port to libgphoto2_port. To support a new kind a digital camera, just provide a new camlib with the required callbacks. All of this will be transparent to client (programs that call libgphoto2")
Image
Enkoi
 
Posts: 3
Joined: Sun Apr 15, 2012 7:24 am
Been thanked: 0 time

Re: Backdoors

Postby Vicne » Sun Apr 15, 2012 10:51 pm

Interesting.
Regarding USB backdoors, I just contacted dukusi, who created the Nikon Camera Control project (just announced on NikonRumors) : http://code.google.com/p/nikon-camera-control
I invited him to join us here because I think his project shares the same idea of going further with Nikon cameras, and he seems to be a very skilled developer. His tool is impressive...

Vicne
Vicne
Core Developer
 
Posts: 1703
Joined: Tue Nov 29, 2011 2:30 pm
Been thanked: 155 times

Re: Backdoors

Postby dukusi » Sun Apr 15, 2012 11:39 pm

Hi everyone.
Just yesterday (all day) i playing around low level usb controlling my D5100, i want to use live view without using Nikon sdk.
The camera use the PIMA15740 Standard - Media Transfer Protocol (MTP) to communicate with host , there a good documentation in nikon sdk about it. I managed to get image using this standard or start liveview (i think after sound of mirror) but when i try to get data give me some error which no sense in that context.

Now in my application use a simple old protocol WIA to communicate with camera.
dukusi
 
Posts: 3
Joined: Sun Apr 15, 2012 11:26 pm
Been thanked: 1 time

Re: Backdoors

Postby leegong » Sun Apr 15, 2012 11:48 pm

If possible, combining the USB controlling with Step trace trap function of MCU might become an on-chip debugger, should do great help for hacking.
leegong
Core Developer
 
Posts: 1612
Joined: Mon Mar 19, 2012 12:21 am
Been thanked: 113 times

Re: Backdoors

Postby max » Mon Apr 16, 2012 8:15 am

dukusi wrote:Hi everyone.
Just yesterday (all day) i playing around low level usb controlling my D5100, i want to use live view without using Nikon sdk.
The camera use the PIMA15740 Standard - Media Transfer Protocol (MTP) to communicate with host , there a good documentation in nikon sdk about it. I managed to get image using this standard or start liveview (i think after sound of mirror) but when i try to get data give me some error which no sense in that context.

Now in my application use a simple old protocol WIA to communicate with camera.


Welcome dukusi and Enkoi!

I've played with libgphoto a little bit, and I would definitely consider using it as a base for camera communication -- it has all the PTP stuff figured out.

dukusi, what library are you using to talk to the camera, or did you create one ? I'm wondering if you have to be in basic PTP mode in order to get live view to work?

Once you can talk to the camera, we still don't know how to invoke a firmware transfer. My hope is that we can find that information inside one of the firmwares we have for the D5100.

leegong wrote:If possible, combining the USB controlling with Step trace trap function of MCU might become an on-chip debugger, should do great help for hacking.


This sounds very interesting -- do you think that the required hardware hooks are in the USB interface to be able to do this?

-m
max
Site Admin
 
Posts: 371
Joined: Sat Nov 26, 2011 2:40 pm
Been thanked: 106 times

Re: Backdoors

Postby leegong » Mon Apr 16, 2012 8:34 am

max wrote:
leegong wrote:If possible, combining the USB controlling with Step trace trap function of MCU might become an on-chip debugger, should do great help for hacking.

This sounds very interesting -- do you think that the required hardware hooks are in the USB interface to be able to do this?
-m

No,i don't think any hardware hook needed.
My understanding: Setup step trace trap control bit , TBR register, step trace trap INT0xC vector in FUJITSU, the interrupt routine can get
MCU control after each instruction executed, it may save all data in each registers,send these data to PC via USB connection.
At least it is doable in theory.There are three kinds of debug method with SoftuneWorkBench described in FUJITSU offical web, this is one of them.
leegong
Core Developer
 
Posts: 1612
Joined: Mon Mar 19, 2012 12:21 am
Been thanked: 113 times

Re: Backdoors

Postby stuge » Mon Apr 16, 2012 8:47 am

max wrote:I've played with libgphoto a little bit, and I would definitely consider using it as a base for camera communication -- it has all the PTP stuff figured out.

It's fine for PTP stuff, but if any relevant debug functionality is available over USB then I guess it will not follow PTP to the letter, and libgphoto2 may not bring much. But let's see!

Once you can talk to the camera, we still don't know how to invoke a firmware transfer.

This is not neccessarily possible at all.

leegong wrote:If possible, combining the USB controlling with Step trace trap function of MCU might become an on-chip debugger, should do great help for hacking.

This sounds very interesting -- do you think that the required hardware hooks are in the USB interface to be able to do this?

"hardware hooks" is an extreme simplification of what is required for something like that to actually work.

leegong wrote:At least it is doable in theory.

Except that we assume that firmware also handles USB communication, and firmware can not simultaneously be traced/trapped at one place in the code while executing USB communication routines at another place.

Usually "soft debug" like this is not really common, and an external connection and dedicated hardware is neccessary to have full control over the processor. As I've mentioned, real FR debug hardware is neither simple nor cheap. The debug communication between the debug hardware and the processor may actually be simple, and then it could be possible to develop our own cheap hardware to do debugging, but we can't know without at least having some captures of the communication with the real debug hardware.

A "soft" RealOS debugger could theoretically be (made) part of the firmware, without any external hardware, but it would be limited in what it could do, especially if our assumption that firmware also handles USB communication holds true (I believe it does).

But, if anyone does find some USB request handlers in the firmware which are useful for debugging then I'm happy to quickly make some host software to exercise them.
stuge
 
Posts: 77
Joined: Fri Feb 03, 2012 3:00 am
Been thanked: 0 time

Re: Backdoors

Postby max » Mon Apr 16, 2012 9:02 am

stuge wrote:It's fine for PTP stuff, but if any relevant debug functionality is available over USB then I guess it will not follow PTP to the letter, and libgphoto2 may not bring much. But let's see!


From what I can tell looking at the SDKs, all USB features of interest are built on PTP -- so we will need to at least have the PTP application-layer communication working before anything else can be done.

This is not neccessarily possible at all.


We haven't proven it yet, but looking at the service manuals for other older DSLRs (D700 being the newest I have), it does seem like reading and writing to flash is possible. For service reasons it would make a lot of sense.

"hardware hooks" is an extreme simplification of what is required for something like that to actually work.


I know. Like you said, it's possible that using the debug features of the MCU through the USB may be physically impossible. I wanted to verify that component before we entertain being able to use it. For example, on some Motorola processors used in car ECUs most of the debug features are only available through a dedicated port (BDM/JTAG). There is no connection on the board between this port and one of the system interfaces such as OBD-II.

The point of this thread is to look to exploit whatever existing USB functions there are, and possibly adding our own. If we can also manage to use the interface for microcode debug, then great!

-m
max
Site Admin
 
Posts: 371
Joined: Sat Nov 26, 2011 2:40 pm
Been thanked: 106 times

PreviousNext

Return to Firmware

Who is online

Users browsing this forum: No registered users and 5 guests